Debunking Salesforce Mobile App and Microsoft Intune Integration Myths
The Salesforce mobile app is Salesforce on the go! This enterprise mobile experience gives you access to the same information you see in the office, but organized for getting work done between customer meetings, while waiting for a flight, even when you’re in line for coffee. The mobile app includes many of your company’s customizations (done within Salesforce), so it’s tailored to your business needs.
By integrating the Salesforce Mobile App with Microsoft Intune*, organizations can leverage the features and capabilities of both platforms to enhance mobile device management, security, app deployment, compliance, and user experience. This integration provides a seamless and secure environment for accessing Salesforce data on mobile devices while maintaining control and protecting sensitive information. Let’s demystify how this works.
Myth: Salesforce Mobile App cannot work with Microsoft Intune.
Fact: Salesforce mobile app’s interoperability with Mobile Device Management (MDM) providers is oriented around the standards-based AppConfig Community. Taking this standards-based approach to compatibility gives our customers maximum flexibility. Intune can leverage Salesforce Mobile’s MDM interoperability features to push specific configurations into the Salesforce app on managed devices (Intune MDM). Customers with Intune MDM pre-provision all supported settings into the Salesforce app, like the custom URL (MyDomain) for the customer’s Salesforce org. To learn more, check out the resources below.
Myth: Customers who don’t use Intune MDM can’t use App Protection/Intune MAM.
Fact: For Mobile Application Management (MAM), Salesforce relies on our own implementation through Mobile App Plus to deliver all security capabilities, this enables us to maintain control over our entire stack instead of integrating third party technologies. However, this does not mean you cannot successfully deploy the Salesforce App in an Intune-controlled corporate environment. Intune MAM’s app protection policies make use of Conditional Access/Azure along with Single Sign-On/Multi-Factor Authentication. By enabling advanced authentication for mobile users, you can swizzle the authentication process out of the app and into the native device browser, which Intune supports. To learn more, check out the resources below.
- Salesforce Mobile SSO config documentation
- Advanced Authentication toggle in MyDomain docs
- Trailblazer Community Discussion
Remember, Intune MDM is based on standards while Intune MAM is entirely proprietary. We do not support a wrapper or container app that tries to run the Salesforce App within it (which is essentially what Intune MAM does -- requiring wrapping up Microsoft SDK into the Mobile App code).
Myth: The ability to copy/paste outside of the Salesforce Mobile App poses a huge risk.
Fact: Customers can block copy/paste and other attributes, as well as use the Salesforce Mobile Security add-on for even more granular monitoring and security. Read the How to Secure Your Salesforce Mobile App Salesforce Help article to learn more.
Myth: It is more work to have non-standard settings outside of Intune.
Fact: Connected App settings are fairly common practice for Salesforce admins and architects. This is done to ensure you have control over your entire stack, rather than integrating third party technologies. You can also use Event Monitoring for visibility into security events that occur on mobile devices and automate actions based on those events. Intune provides similar visibility for its MAM enabled applications.
Myth: We can’t use IP allowlisting or VPN to maintain strong security posture via Intune.
Fact: For VPN, review Intune MDM’s per-app-vpn option. Regarding IP allowlisting, you can continuously enforce ip restriction. Please note, Salesforce uses OAuth 2.0 for authentication through username/password or single sign-on credentials.
Myth: We cannot remote wipe using Intune since Salesforce Mobile App does not work with Intune.
Fact: During the login process, there is a post authentication OAuth token established. When a user leaves the company or their device needs to be remote wiped (i.e., clear the cache and force logout the user), that token can be revoked using Salesforce UI or via an API. It is important to note that data on the device is always encrypted, but customers can also disable the caching in the mobile app to prevent data being saved locally. This may impact performance as the app will need to refresh record details and feed items every time they are viewed.
Myth: We cannot enforce device compliance check using Intune for Salesforce Mobile App.
Fact: If the device is enrolled via Intune MDM, the device can be marked “Compliant” by having a certificate and any additional attributes you need to check via Conditional Access Policy. In this scenario, you should use native browser authentication to pass the required checks (see screenshot below). Read the Customize Your My Domain Login Page for Mobile Auth Methods Salesforce Help article to learn more.
Myth: Device Compliance Check in Intune MDM is sufficient so we don’t need Salesforce MAM (Mobile App+).
Fact: While Device Compliance check or SSO/MFA/VPN are all the right tools, they are static in nature. To gain further visibility into Salesforce Mobile App user activity, you should use Mobile App+, or Salesforce MAM, which captures 4 real time events which tie into Salesforce Shield. See the list of full features here.
Myth: Salesforce Mobile App cannot be containerized using Intune so we cannot enforce policies like outlook client to present sensitive data leakage.
Fact: Customers can enforce email client using out of the box connected app attribute. Read the Salesforce article How to Secure Your Salesforce Mobile App to learn more.
Myth: If we have Mobile App+, we don’t need Salesforce Shield.
Fact: It depends on your security requirements. Salesforce Shield services allow you to satisfy compliance, regulatory and stringent security requirements around encryption, monitoring, auditing, data loss prevention, and retention. While a user is using the Salesforce mobile app, Shield security controls are all still applicable to mobile users while they are using the mobile app. With Mobile App+ (MAM), you can also extend your security policies, especially for bring your own device (BYOD) scenarios. Salesforce MAM captures 4 real time events which tie into Salesforce Shield. See the list of full features here.
Customer Security and Compliance with Salesforce Mobile App and Microsoft Intune
Customers can use Salesforce Mobile App with Microsoft Intune MDM, and leverage advanced authentication options with Azure to control most of their security requirements. Once the user is in Salesforce App post-authentication, users can decide whether or not to use Mobile App+, or Salesforce MAM (depending on their security and compliance requirements). However, Microsoft Intune cannot capture user activity the way Salesforce MAM does, since it is Salesforce on Salesforce. In the end, it depends on customer security and compliance requirements to decide what is controlled via Microsoft Intune and what is enabled within Salesforce.
*Disclaimer: Salesforce has made a good faith effort to provide you with Salesforce Mobile and Intune specific responses. The information provided here is for informational purposes only, and based on numerous customer conversations and public documentation. Salesforce can only provide details on how Salesforce Mobile App works and integrates with various MDM solutions and Intune based on standards. For Intune specific questions, see Microsoft documentation.